Threat Research

Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours

TheDFIR

In December 2022, threat actors exploited a publicly exposed RDP host to exfiltrate data and deploy Trigona ransomware across the network in about three hours. They used batch scripts and Netscan for discovery, data theft, and lateral movement, with Mega as the exfiltration target and RDP as the pivot for broader access. #Trigona #Netscan

Keypoints

  • Threat actors gained initial access by exploiting an exposed RDP host with valid credentials, not via brute force.
  • On Christmas Eve, ransomware spread across the entire network within roughly three hours of entry.
  • A toolkit of batch scripts and the SoftPerfect Netscan tool was deployed to exfiltrate data, hinder defenses, and enable further intrusion steps.
  • The attackers used Netscan to perform discovery, enumerate network shares, and explore documents across hosts.
  • RDP was used for lateral movement to file servers, with additional RDP sessions and SMB-based propagation observed.
  • Trigona ransomware was deployed and encrypts multiple hosts, delivering dual extortion via data exfiltration and file encryption, including SMB propagation to other networked systems.

MITRE Techniques

  • [T1133] External Remote Services – Initial access via an exposed RDP host using legitimate credentials. ‘login utilized legitimate credentials for the default Administrator account, with no evidence of brute-forcing.’
  • [T1078] Valid Accounts – Domain Administrator account used throughout the network to access devices with local admin privileges. ‘the domain Administrator account was used throughout the network providing the actors easy access to all devices with local Administrator privileges.’
  • [T1021.001] Remote Services – Lateral movement via RDP to file servers. ‘approximately 20 minutes after initial access, the threat actor began lateral movement by establishing an RDP connection to one of the file servers.’
  • [T1570] Lateral Tool Transfer – Copied toolkit to the file server for use across new hosts. ‘the threat actor copied their toolkit to the file server.’
  • [T1105] Ingress Tool Transfer – Staged Rclone on the beachhead for data exfiltration. ‘staged Rclone on the beachhead.’
  • [T1567.002] Exfiltration to Cloud Storage – Data exfiltrated via Rclone to Mega. ‘Rclone exfiltration process to Mega.io.’
  • [T1112] Modify Registry – Registry modifications to disable Defender. ‘registry statements commonly employed by threat actors designed to disable the built in Windows Defender.’
  • [T1547.001] Registry Run Keys / Startup Folder – Create a Run Key to launch ransomware on login. ‘a new value under the HKCU Software Microsoft Windows Current Version Run registry key.’
  • [T1033] System Owner/User Discovery – Commands like whoami used to identify current user. ‘whoami.exe’ observations were noted during intrusion.
  • [T1059.001] PowerShell – Use of PowerShell for script execution. ‘they also used PowerShell and Cmd sessions to execute various scripts.’
  • [T1059.003] Windows Command Shell – Use of cmd.exe for batch/script execution. ‘cmd.exe /c net user …’
  • [T1562.001] Impair Defenses – Defender-related batch files used to disable security tools. ‘DefenderOFF.bat’ and related commands to disable Defender.
  • [T1046] Network Service Scanning – Netscan configured to perform discovery actions across the network. ‘Netscan enumerated the network, the threat actor identified network shares and started exploring them.’
  • [T1135] Network Share Discovery – Enumerating writable network shares. ‘enumerate write-access to network shares; Netscan was configured to enumerate write-access to network shares.’
  • [T1083] File and Directory Discovery – Discovery of documents and remote files during network exploration. ‘accessing various documents through a web browser’ and related discovery actions.
  • [T1486] Data Encrypted for Impact – Trigona encrypts targeted hosts and propagates via SMB. ‘encryption of systems through the use of the Trigona ransomware.’

Indicators of Compromise

  • [IP] 77.83.36.6 – initial access / external remote service
  • [IP] 193.106.31.98 – subsequent beachhead connection / ransomware staging
  • [Hostname] WIN-L1MS2GT1R2G – beachhead host name used during intrusion
  • [Hostname] 6CU548W0BH – host accessed during lateral movement
  • [File] build_redacted.exe – ransomware binary dropped on hosts
  • [File] DefenderOFF.bat – batch script intended to disable Defender
  • [File] DefenderON.bat – batch script intended to re-enable Defender
  • [File] newuser.bat – batch script creating a new local user and adding to admin groups
  • [File] newnewuser.bat – batch script for creating a new local user with restricted visibility
  • [File] rclone.exe – exfiltration tool used to copy data to Mega
  • [File] netscan.exe – customized Netscan tool used for discovery
  • [File] openrdp.bat – script to open RDP access and firewall rules
  • [Domain] mega.io / mega.co.nz – cloud storage exfiltration target used via rclone
  • [File] how_to_decrypt.hta – ransom note left after encryption

Read more: https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint